# Sandbox main configuration file

# Note that configuration parser is fairly basic, so try to keep things simple.

#
# BASIC Section
#

# Basic sandbox configuration. Sandbox will use values here if not already set
# in the environment.  Assignment works like bash variable assignment (ie, last
# value assigned to the variable is used).

# SANDBOX_VERBOSE
#
#  Determine if sandbox print access violations, or if debugging is enabled,
#  it will also print allowed operations.  Default is "yes"
#SANDBOX_VERBOSE="yes"

# SANDBOX_DEBUG
#
#  In addition to the normal log, a debug log is also written containing all
#  operations caught by sandbox.  Default is "no"
#SANDBOX_DEBUG="no"

# NOCOLOR
#
#  Determine the use of color in the output.  Default is "false" (ie, use color)
#NOCOLOR="false"


#
# Namespace Section (Linux-only)
#

# Global knob to control all namespaces.
#NAMESPACES_ENABLE="no"

# Knobs for different types of namespaces.  If the runtime doesn't support a
# particular type, it will be automatically skipped.  Default to off as these
# are currently experimental.
# For more details on each type, see the namespaces(7) manpage.
#NAMESPACE_IPC_ENABLE="no"
#NAMESPACE_MNT_ENABLE="no"
#NAMESPACE_NET_ENABLE="no"
#NAMESPACE_PID_ENABLE="no"
#NAMESPACE_SYSV_ENABLE="no"
#NAMESPACE_USER_ENABLE="no"
#NAMESPACE_UTS_ENABLE="no"


#
# ACCESS Section
#

# The next section contain rules for access.  It works a bit different from the
# previous section in that values assigned to variables stack.  Also since these
# do NOT get overridded by values already set in the environment, but rather
# those get added.
#
# If you want values that only get set if one of the variables are not already
# present in the environment, place a file in /etc/sandbox.d/ (replace /etc
# with what sysconfdir was configured to).
#
# Another difference from above, is that these support simple variable name
# substitution.  Variable names must be in the form of '${variable}' (without
# the '').  It is very basic, so no command substitution, etc is supported.
#
# The values consists of the respective paths seperated by a colon (:)
#
# SANDBOX_DENY - all access to respective paths are denied
#
# SANDBOX_READ - can read respective paths
#
# SANDBOX_WRITE - can write to respective paths
#
# SANDBOX_PREDICT - respective paths are not writable, but no access violation
#                   will be issued in the case of a write
#

# Needed for stdout, stdin and stderr
SANDBOX_WRITE="/dev/fd:/proc/self/fd"
# Common device nodes
SANDBOX_WRITE="/dev/zero:/dev/null:/dev/full"
# Console device nodes
SANDBOX_WRITE="/dev/console:/dev/tty:/dev/vc/:/dev/pty:/dev/tts"
# Device filesystems
SANDBOX_WRITE="/dev/ptmx:/dev/pts/:/dev/shm"
# Tempory storage
SANDBOX_WRITE="/tmp/:/var/tmp/"
# Needed for shells
SANDBOX_WRITE="${HOME}/.bash_history"

